Google pressure on devs to fix security issues bears fruit

Post navigation

When it comes to fixing vulnerabilities in software and phone apps, the traditional thinking has largely been that developers give security a good-faith effort before their code launches, and once it’s all live, fix what they can when they can – unless the issue is particularly ugly, dangerous, or bad for PR.

All the while, its consumers who must rely on their savvy and a bit of luck to stay safe from attackers who might want to exploit those vulnerabilities, as it’s never a guarantee that the vulnerable software may get fixed.

But some software and app publishers are trying to flip that script and put the onus back onto developers for keeping consumers safe from vulnerable software.

In 2014, Google’s Android team launched Google Play App Security Improvement (ASI) program, with the goal of flagging vulnerable apps and notifying developers that they need to be fixed. At first, the notification was the only real consequence of a discovered vulnerability, but in the past two years the ASI program has grown some real teeth: fix your vulnerable apps by a certain timeline, says the ASI program, or you won’t be able to publish any updates to it until the issues are addressed.

Perhaps it’s thanks to these real consequences that since April 2016, more than 90,000 developers have fixed 11 security issues across 275,000 apps. (Before April 2016, 100,000 apps had been patched, so Android has seen the number of fixed apps nearly triple.) These app developers weren’t on their own trying to figure these issues out: they were all given “resources and guidance” on how to fix the discovered issues, as provided by the Android Security Team, according to Android Security Program Manager Rahul Mishra in a blog post.

Google’s ASI program now provides guidance to developers on 26 potential security issues on Android apps – some of which relate to using out-of-date external libraries and SDK that can be vulnerable to attack.

As part of the acceptance process for being listed on the Google Play store, the Android team scans the app for security vulnerabilities, especially those mentioned on the ASI program. If the app is found to have vulnerabilities that the Android team has flagged as needing fixing, the developer will be notified via the Google Play Developer Console and by email.

If you take a look at the list of the 26 issues the ASI program is currently looking for, several – but not all – of the issues have a solid remediation deadline, with a note in no uncertain terms that any existing apps with these vulnerabilities will be blocked from publication or updating until the issue is fixed.

It isn’t a blanket ban though – the ASI program notes that the punitive action they would take depends on the severity of the vulnerability.

Given the sizeable increase in apps that the Android ASI program has managed to flag, it will be interesting to see if other software or app publishers take a similar approach in proactively working with developers to better secure what they ship to consumers.